1.8.14 breaks for years now working setups i realized the "move svnauthz to -tools" and installed "subversion-tools" followed by a hard restart of httpd, no change, downgrade and all is working fine again - sorry but not acceptable for a minor update ____________________________________________________ 1.8.14: [Wed Sep 30 15:44:48.133571 2015] [authz_svn:error] [pid 24348] [client 10.0.0.99:50460] Access denied: - OPTIONS :/contentlounge/modules/dns [Wed Sep 30 15:46:14.068687 2015] [authz_svn:error] [pid 5177] [client 10.0.0.99:50462] Access denied: - OPTIONS :/contentlounge/modules/dns [Wed Sep 30 15:52:52.755016 2015] [authz_svn:error] [pid 5175] [client 10.0.0.99:50494] Access denied: - OPTIONS :/contentlounge/modules/dns [Wed Sep 30 15:54:13.702543 2015] [authz_svn:error] [pid 24351] [client 10.0.0.99:50510] Access denied: - OPTIONS :/contentlounge/modules/dns [harry@rh:~]$ svn-commit.sh "Panel: Rename-Option fuer A-Records implementiert nachdem ich die jetzt schon viel zu oft brauche und immer in der Datenbank direkt rumschreiben muss" svn: E175013: Übertragen schlug fehl (Details folgen): svn: E175013: Unable to connect to a repository at URL 'http://svn/contentlounge/modules/dns' svn: E175013: Zugriff auf »/contentlounge/modules/dns« verboten ____________________________________________________ Sep 30 16:03:08 INFO Downgraded: subversion-libs-1.8.13-7.fc22.x86_64 Sep 30 16:03:08 INFO Downgraded: subversion-libs-1.8.13-7.fc22.x86_64 Sep 30 16:03:09 INFO Downgraded: subversion-1.8.13-7.fc22.x86_64 Sep 30 16:03:09 INFO Downgraded: subversion-1.8.13-7.fc22.x86_64 Sep 30 16:03:09 INFO Downgraded: subversion-kde-1.8.13-7.fc22.x86_64 Sep 30 16:03:09 INFO Downgraded: subversion-kde-1.8.13-7.fc22.x86_64 Sep 30 16:03:09 INFO Downgraded: subversion-tools-1.8.13-7.fc22.x86_64 Sep 30 16:03:09 INFO Downgraded: subversion-tools-1.8.13-7.fc22.x86_64 Sep 30 16:03:09 INFO Downgraded: mod_dav_svn-1.8.13-7.fc22.x86_64 Sep 30 16:03:09 INFO Downgraded: mod_dav_svn-1.8.13-7.fc22.x86_64 Sep 30 16:03:09 INFO Erased: subversion-tools-1.8.14-1.fc22.x86_64 Sep 30 16:03:09 INFO Erased: subversion-tools-1.8.14-1.fc22.x86_64 Sep 30 16:03:09 INFO Erased: subversion-kde-1.8.14-1.fc22.x86_64 Sep 30 16:03:09 INFO Erased: subversion-kde-1.8.14-1.fc22.x86_64 Sep 30 16:03:09 INFO Erased: subversion-1.8.14-1.fc22.x86_64 Sep 30 16:03:09 INFO Erased: subversion-1.8.14-1.fc22.x86_64 Sep 30 16:03:09 INFO Erased: mod_dav_svn-1.8.14-1.fc22.x86_64 Sep 30 16:03:09 INFO Erased: mod_dav_svn-1.8.14-1.fc22.x86_64 Sep 30 16:03:09 INFO Erased: subversion-libs-1.8.14-1.fc22.x86_64 Sep 30 16:03:09 INFO Erased: subversion-libs-1.8.14-1.fc22.x86_64 [harry@rh:~]$ svn-commit.sh "Panel: Rename-Option fuer A-Records implementiert nachdem ich die jetzt schon viel zu oft brauche und immer in der Datenbank direkt rumschreiben muss" Sende modules/dns/gui.php Sende modules/dns/library.php Übertrage Daten .. Revision 3939 übertragen ____________________________________________________
What's the auth config?
I don't get the comment about svnauthz: that happened in 1.8.13-7, which has been in f22 stable for a few months. Was your config broken with that package too?
Please read my report again - first the broken version is mentioned in the subject, then you see apache logs with the error messages and under a spacer line the downgrade log followed by the successful commit
I am currently not on my computer and need to seek the config because i configured subversion once in my life in 2007 without any changes and honestly even don't remember hiw - followed a how-to mod_dav_svn and running with httpd at least i can say for now
<VirtualHost *:443> ServerName "svn.test.rh" Options +Indexes +Multiviews -FollowSymLinks SSLCertificateFile "conf/ssl/rhsoft.net.pem" SSLEngine On KeepAlive On SSLUseStapling Off <Location /> AllowMethods OPTIONS PROPFIND GET POST HEAD REPORT MKACTIVITY PROPPATCH PUT CHECKOUT MKCOL MOVE COPY DELETE LOCK UNLOCK MERGE Require ip 127.0.0.1 Require ip 10.0.0.0/24 Require ip 192.168.1.0/24 DAV svn SVNPath "/svn/updateservice/subversion" SVNListParentPath On AuthType Basic AuthName "Versionsverwaltung" AuthUserFile "/etc/httpd/conf/svn_passwd" AuthzSVNAccessFile "/etc/httpd/conf/svn_access" Require valid-user <IfModule mod_security2.c> SecRuleEngine Off </IfModule> </Location> <IfModule mod_headers.c> Header always set "Strict-Transport-Security" "max-age=31536000" </IfModule> </VirtualHost> </IfModule>
obviously it's a change in 1.8.14 with the dumb default of "AuthzSVNAnonymous On", after add "AuthzSVNAnonymous Off" inside the <Location>-directive it works again likely one of that changes without change the "AuthzSVNAnonymous" default proper which sould not be enabled at all without saying so * mod_authz_svn: do not leak information in mixed anonymous/authenticated httpd (dav) configurations (CVE-2015-3184) * do not leak paths that were hidden by path-based authz (CVE-2015-3187)
Interesting, thanks. I'm confused by this, I couldn't reproduce it, though there's a report upstream of similar issues with 1.8.14 and mod_auth_kerb where the 401 is not getting triggered. You don't have have a "Satisfy" present anywhere else in the configuration by any chance?
no, while i think "Satisfy" is a httpd 2.2 thing and not supported in 2.4 there maybe <Directory> settings overlaying the vhost somehow (complex setup) but it's a unexpected regression anyways for a minor update - however solved with "AuthzSVNAnonymous Off" [root@srv-rhsoft:/etc/httpd/conf]$ cat *.conf | grep -i Satisfy [root@srv-rhsoft:/etc/httpd/conf]$ cd sites_enabled/ [root@srv-rhsoft:/etc/httpd/conf/sites_enabled]$ cat *.conf | grep -i Satisfy
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.